Recommend MTU settings for SSL Anyconnect VPN

carl_townshend · ‎01-27-2025

Hi All

What are the recommended settings for MTU when using Anyconnect VPN?

We currently have the default of 1406.

We have users complaining of slow performance when using file shares, I know SMB is notoriously slow over WAN links etc, any recommendations if this can be sped up by setting a smaller MTU maybe? also we do not have the "ignore dont fragment bit" enabled.

Cheers

Rob Ingram · ‎01-27-2025

@carl_townshend I would leave the default MTU settings.

To get the best performance ensure you are using DTLS 1.2 for data communication, SSL/TLS should be used for the parent tunnel and backup in case DTLS is not functioning. You need to ensure your AnyConnect version supports DTLS, so it must be AnyConnect 4.7 or higher.

carl_townshend · ‎01-27-2025

Hi Rob, thanks for the response, we do have DTLS enabled and on a recent version of Anyconnect.

These are pretty much our settings, any changes needed then or is this OK ?

Rob Ingram · ‎01-27-2025

@carl_townshend run show vpn-sessiondb detail anyconnect and check the output of a connection that is slow, confirm DTLS 1.2 is in use. https://integratingit.wordpress.com/2021/01/27/securing-asa-tls-ciphers/

MHM Cisco World · ‎01-27-2025

Multi points to solve slow of anyconnect

1- using dtls

2- use correct mtu

3- split tunnel

For mtu check this

https://community.cisco.com/t5/security-knowledge-base/the-importance-of-understanding-mtu-value-in-anyconnect-vpn/ta-p/3164026

MHM